This is a question, which has been raging in my mind for a while now. It has been something, which I see a great scope for improvement for and something that is currently, very rarely, if ever, followed.
The Prologue
First, a prologue to the entire story. I am sure all of you know the Sarbanes Oxley Standard, popularly known as SOx. It is one of the most important compliance requirements of publicly listed companies in the US. It is governed by the PCAOB (Public Company Accounting Oversight Board), which is an independent oversight body for SOx. SOx arrived in the wake of several scams such as Enron and WorldCom. These scams rocked the business world and caused a great deal of embarassment for corporate America. All these scams had something in common; they had cooked the books (misstated financials) and this syndrome percolated to the very top, including the CEOs and CFOs of some of these organizations.
Enter SOx. SOx was the brainchild of two US senators whose last names have been given to the standard. Their take on this was that shareholders and the general public need to be able to reaffirm their faith in an organization's financial statements. This involved, first of all, establishing accountability from the top management (as they had been intricately involved in the scams previously and had the most reason to misstate financials) and providing auditors with the teeth to ensure that the organization's control environment was adequate to ensure the "true and fair" view of financial statements. Therefore, as one can clearly see, SOx is primarily concerned with the integrity of the Financial Statements and the environment in which they are processed and created. The auditor assessing an entity for SOx needs to ensure that the environment in which Financials are prepared is secure and more importantly, an environment with controls which can be relied on to ensure the integrity of information and lastly make sure that the Financials are not misstated. This involves a process many of us have heard of. Identify scope, perform Risk Assessment, Document controls, Test controls, identify gaps, continuous improvement.
The Conundrum
Our look at SOx was fine and dandy, but all that is not new, right? All of you have heard it time and time again. Especially those of you who work for large consulting firms have seen SOx being thrown around in a conversation a lot of times. I have been interacting lately, with a lot of the auditors who assess their clients for SOx compliance. My question to them usually is, "How do you assess the integrity of the environment, which is involved in the creation and processing of financial information?". Their answer to that is something like this, "We usually ask a few questions about their IT policies and procedures and establish whether we can rely on the financial statements. Our worry is more on the business processes".
When I say "financial information", it means information from all quarters which is leading to the preparation of financial statements. It means, any system which is involved in the initiation, authorization, recording, processing and reporting of financial information. So you can imagine that this is.....a lot. An ERP system which is part of the organization would be a part of it, in case of an e-commerce company, for instance, the e-commerce accounting and inventory management modules of the applications would probably need to be a part of the SOx assessment.
Let me give you, quite a real scenario and then explain the matter. What if an ERP application is vulnerable to an Application vulnerability like XSS or SQL Injection where an insider might be able to hijack sessions, gain access to the privileged information and make unauthorized changes which are not logged, not checked in any way. If an employee were able to submit an expense statement and hijack his manager's session and authorize the expense statement, with no logging. Would I, as an auditor rely on the financial statements for a SOx environment, knowing that the application could be compromised and the financials could potentially be modified or in some cases even destroyed, and more so, without being checked (no logging). Taking the business process side of things, if the same person could could initiate an expense statement and authorize it himself as part of a business process, that would be looked upon as a serious hole in the internal control of an organization and the assessor would have no doubt that it was a significant deficiency. Let us take another instance, if a business unit of a corporation were vulnerable to several network issues, let us assume that they do not have proper firewalls rules, restricting specific IP and port sets, that default passwords still exist on their network devices and servers. Let us assume that a supplier breaks into this network and overstates the value of the organization's account payables. Would, I as an auditor sign off on that entity's financials, knowing that the entity can be easily breached and integrity of data can be adversely affected?
This is just from the auditor's standpoint. A company would be held equally responsible for its negligence to IT security (as IT is a key driver in financial statements) and its reputation and business value would be seriously impacted.
Unfortunately, the scenarios I gave you have real life significance and are quite real in the corporate environment and I believe that they are largely going unchecked, because the auditors for SOx are usually not capable of assessing IT controls and are under the false belief that SOx only applies to business process and related internal control, whereas the real scenario is quite different. In today's world of highly connected enterprises, IT is a huge area of consideration. IT controls, in essence form an integral part of the entity's internal control and can significantly impact the way financial statements are initiated, authorized, processed and recorded.
The Solution
My advice to the SOx assessors and auditors of the world is this. IT security is an important consideration for any entity today. SOx does not absolve you of the duty of performing basic risk assessment and control testing (like you would do for business process with assessment of internal control to ensure that financial statements may be relied upon). Integrity of information can be made or broken by IT security in today's digital age. SOx must be treated like any other security compliance which requires scoping of processes and applications affecting financial information, performing Risk Assessment, testing controls of the processes or applications and gap analysis. As you can see, this clearly involves issues like Firewall management, Application and Network security testing, Secure Application development, deployment and configuration, Network Change Management, Logging, Integrity Monitoring, Patching, AV and all the other IT security requirements which one can formulate through effective risk assessment and best practices. Bottom line. SOx is not just a financial standard. It has a serious impact in an IT environment and from an IT standpoint.
The Prologue
First, a prologue to the entire story. I am sure all of you know the Sarbanes Oxley Standard, popularly known as SOx. It is one of the most important compliance requirements of publicly listed companies in the US. It is governed by the PCAOB (Public Company Accounting Oversight Board), which is an independent oversight body for SOx. SOx arrived in the wake of several scams such as Enron and WorldCom. These scams rocked the business world and caused a great deal of embarassment for corporate America. All these scams had something in common; they had cooked the books (misstated financials) and this syndrome percolated to the very top, including the CEOs and CFOs of some of these organizations.
Enter SOx. SOx was the brainchild of two US senators whose last names have been given to the standard. Their take on this was that shareholders and the general public need to be able to reaffirm their faith in an organization's financial statements. This involved, first of all, establishing accountability from the top management (as they had been intricately involved in the scams previously and had the most reason to misstate financials) and providing auditors with the teeth to ensure that the organization's control environment was adequate to ensure the "true and fair" view of financial statements. Therefore, as one can clearly see, SOx is primarily concerned with the integrity of the Financial Statements and the environment in which they are processed and created. The auditor assessing an entity for SOx needs to ensure that the environment in which Financials are prepared is secure and more importantly, an environment with controls which can be relied on to ensure the integrity of information and lastly make sure that the Financials are not misstated. This involves a process many of us have heard of. Identify scope, perform Risk Assessment, Document controls, Test controls, identify gaps, continuous improvement.
The Conundrum
Our look at SOx was fine and dandy, but all that is not new, right? All of you have heard it time and time again. Especially those of you who work for large consulting firms have seen SOx being thrown around in a conversation a lot of times. I have been interacting lately, with a lot of the auditors who assess their clients for SOx compliance. My question to them usually is, "How do you assess the integrity of the environment, which is involved in the creation and processing of financial information?". Their answer to that is something like this, "We usually ask a few questions about their IT policies and procedures and establish whether we can rely on the financial statements. Our worry is more on the business processes".
When I say "financial information", it means information from all quarters which is leading to the preparation of financial statements. It means, any system which is involved in the initiation, authorization, recording, processing and reporting of financial information. So you can imagine that this is.....a lot. An ERP system which is part of the organization would be a part of it, in case of an e-commerce company, for instance, the e-commerce accounting and inventory management modules of the applications would probably need to be a part of the SOx assessment.
Let me give you, quite a real scenario and then explain the matter. What if an ERP application is vulnerable to an Application vulnerability like XSS or SQL Injection where an insider might be able to hijack sessions, gain access to the privileged information and make unauthorized changes which are not logged, not checked in any way. If an employee were able to submit an expense statement and hijack his manager's session and authorize the expense statement, with no logging. Would I, as an auditor rely on the financial statements for a SOx environment, knowing that the application could be compromised and the financials could potentially be modified or in some cases even destroyed, and more so, without being checked (no logging). Taking the business process side of things, if the same person could could initiate an expense statement and authorize it himself as part of a business process, that would be looked upon as a serious hole in the internal control of an organization and the assessor would have no doubt that it was a significant deficiency. Let us take another instance, if a business unit of a corporation were vulnerable to several network issues, let us assume that they do not have proper firewalls rules, restricting specific IP and port sets, that default passwords still exist on their network devices and servers. Let us assume that a supplier breaks into this network and overstates the value of the organization's account payables. Would, I as an auditor sign off on that entity's financials, knowing that the entity can be easily breached and integrity of data can be adversely affected?
This is just from the auditor's standpoint. A company would be held equally responsible for its negligence to IT security (as IT is a key driver in financial statements) and its reputation and business value would be seriously impacted.
Unfortunately, the scenarios I gave you have real life significance and are quite real in the corporate environment and I believe that they are largely going unchecked, because the auditors for SOx are usually not capable of assessing IT controls and are under the false belief that SOx only applies to business process and related internal control, whereas the real scenario is quite different. In today's world of highly connected enterprises, IT is a huge area of consideration. IT controls, in essence form an integral part of the entity's internal control and can significantly impact the way financial statements are initiated, authorized, processed and recorded.
The Solution
My advice to the SOx assessors and auditors of the world is this. IT security is an important consideration for any entity today. SOx does not absolve you of the duty of performing basic risk assessment and control testing (like you would do for business process with assessment of internal control to ensure that financial statements may be relied upon). Integrity of information can be made or broken by IT security in today's digital age. SOx must be treated like any other security compliance which requires scoping of processes and applications affecting financial information, performing Risk Assessment, testing controls of the processes or applications and gap analysis. As you can see, this clearly involves issues like Firewall management, Application and Network security testing, Secure Application development, deployment and configuration, Network Change Management, Logging, Integrity Monitoring, Patching, AV and all the other IT security requirements which one can formulate through effective risk assessment and best practices. Bottom line. SOx is not just a financial standard. It has a serious impact in an IT environment and from an IT standpoint.
3 comments:
Hi,
nice article... keep it up...
Nice Article... keep it up...
Thanks mate!!
Post a Comment